Mercurial > hg > fapweb

changeset 214:36423e8ab765

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Improve input validation.
author Matti Hamalainen <ccr@tnsp.org>
date Sun, 17 Nov 2013 22:01:40 +0200
parents 682a926fd6fb
children bfd480370a70
files admajax.php
diffstat 1 files changed, 99 insertions(+), 34 deletions(-) [+]
line wrap: on
line diff
--- a/admajax.php	Sun Nov 17 21:03:57 2013 +0200
+++ b/admajax.php	Sun Nov 17 22:01:40 2013 +0200
@@ -9,7 +9,85 @@
 require_once "msite.inc.php";
 require_once "msession.inc.php";
 
+
+function stCheckRequestCompoData($full)
+{
+  if (!stChkRequestItem("name", $fake,
+      array(CHK_ISGT, VT_STR, 0, "Compo name too short"),
+      array(CHK_ISLT, VT_STR, SET_LEN_COMPO_NAME, "Compo name too long.")) ||
+    !stChkRequestItem("description", $fake,
+      array(CHK_ISGT, VT_STR, 10, "Compo description too short"),
+      array(CHK_ISLT, VT_STR, SET_LEN_COMPO_DESC, "Compo description too long.")))
+    return FALSE;
+  
+  if (!$full)
+    return TRUE;
+
+  return
+    stChkRequestItem("visible", $fake,
+      array(CHK_TYPE, VT_BOOL, "Invalid data.")
+    ) &&
+    stChkRequestItem("voting", $fake,
+      array(CHK_TYPE, VT_BOOL, "Invalid data.")
+    ) &&
+    stChkRequestItem("showAuthors", $fake,
+      array(CHK_TYPE, VT_BOOL, "Invalid data.")
+    );
+}
+
+
+function stCheckRequestEntryData(&$compo_id)
+{
+  return
+    stChkRequestItem("name", $fake,
+      array(CHK_ISGT, VT_STR, 0, "Entry name too short."),
+      array(CHK_ISLT, VT_STR, SET_LEN_ENTRY_NAME, "Entry name too long.")
+    ) &&
+    stChkRequestItem("author", $fake,
+      array(CHK_ISGT, VT_STR, 0, "Author name not set."),
+      array(CHK_ISLT, VT_STR, SET_LEN_ENTRY_AUTHOR, "Entry author too long.")
+    ) &&
+    stChkRequestItem("filename", $fake,
+      array(CHK_TYPE, VT_TEXT, "Invalid data."),
+      array(CHK_ISLT, VT_STR, SET_LEN_ENTRY_FILENAME, "Entry filename too long.")
+    ) &&
+    stChkRequestItem("info", $fake,
+      array(CHK_TYPE, VT_TEXT, "Invalid data."),
+      array(CHK_ISLT, VT_STR, SET_LEN_INFO, "Entry info too long.")
+    ) &&
+    stChkRequestItem("compo_id", $compo_id,
+      array(CHK_TYPE, VT_INT, "Invalid compo ID.")
+    );
+}
+
+
+function stCheckRequestNewsData()
+{
+  return
+    stChkRequestItem("text", $fake,
+      array(CHK_ISGT, VT_STR, 0, "News text too short."),
+      array(CHK_ISLT, VT_STR, SET_LEN_NEWS_TEXT, "News text too long.")
+    ) &&
+    stChkRequestItem("author", $fake,
+      array(CHK_ISGT, VT_STR, 0, "News author name too short."),
+      array(CHK_ISLT, VT_STR, SET_LEN_NEWS_AUTHOR, "News author name too long.")
+    ) &&
+    stChkRequestItem("title", $fake,
+      array(CHK_ISGT, VT_STR, 0, "News title too short."),
+      array(CHK_ISLT, VT_STR, SET_LEN_NEWS_TITLE, "News title too long.")
+    );
+}
+
+
+function stGetSaveButton()
+{
+  return "<input type=\"submit\" value=\" Save \" />\n";
+}
+
+
+//
 // Check if we are allowed to execute
+//
 if (!stCheckHTTPS() || !stAdmSessionAuth())
 {
   stSetupCacheControl();
@@ -20,23 +98,18 @@
   exit;
 }
 
+
+//
+// Initialize
+//
 stSetupCacheControl();
 
-// Initiate SQL database connection
 if (!stConnectSQLDB())
   die("Could not connect to SQL database.");
 
-// Fetch non-"hardcoded" settings from SQL database
 stReloadSettings();
 
 
-function saveButton()
-{
-  return "<input type=\"submit\" value=\" Save \" />\n";
-}
-
-
-// XMLHttp responses
 $type = stGetRequestItem("type", "");
 switch (stGetRequestItem("action", ""))
 {
@@ -136,13 +209,15 @@
           "  <td>".$item["desc"]."</td>\n".
           " </tr>\n";
         }
-        echo "</table>\n".saveButton();
+        echo "</table>\n".stGetSaveButton();
 
         foreach (stExecSQL("SELECT * FROM settings WHERE vtype=".VT_TEXT) as $item)
         {
-          echo "<h2>".chentities($item["desc"])."</h2>\n".
-          stGetFormTextArea(10, 60, "", $item["key"], $prefix, $item["vtext"]).
-          "\n<br />\n".saveButton();
+          echo
+            "<h2>".chentities($item["desc"])."</h2>\n".
+            stGetFormTextArea(10, 60, "", $item["key"], $prefix, $item["vtext"]).
+            "\n<br />\n".
+            stGetSaveButton();
         }
         echo "</form>\n";
         break;
@@ -373,8 +448,7 @@
     //
     // Add new entry
     //
-    if ($type == "news" && stChkRequestItem("text") &&
-      stChkRequestItem("author") && stChkRequestItem("title"))
+    if ($type == "news" && stCheckRequestNewsData())
     {
       $sql = stPrepareSQL(
         "INSERT INTO news (utime,title,text,author) VALUES (%d,%S,%Q,%S)",
@@ -383,8 +457,7 @@
       stExecSQLCond($sql, "OK, news item added.");
     }
     else
-    if ($type == "compo" && stChkRequestItem("name") &&
-      stChkRequestItem("description"))
+    if ($type == "compo" && stCheckRequestCompoData(FALSE))
     {
       $sql = stPrepareSQL(
         "INSERT INTO compos (name,description,visible,voting,showAuthors) VALUES (%S,%Q,0,0,0)",
@@ -402,12 +475,11 @@
       stExecSQLCond($sql, "OK, attendee added.");
     }
     else
-    if ($type == "entry" && stChkRequestItem("name") &&
-      stChkRequestItem("author") && stChkRequestItem("compo_id"))
+    if ($type == "entry" && stCheckRequestEntryData($fake))
     {
       $sql = stPrepareSQL(
-        "INSERT INTO entries (name,author,compo_id,filename) VALUES (%S,%S,%D,%S)",
-        "name", "author", "compo_id", "filename");
+        "INSERT INTO entries (name,author,compo_id,filename,info) VALUES (%S,%S,%D,%S,%S)",
+        "name", "author", "compo_id", "filename", "info");
 
       stExecSQLCond($sql, "OK, entry added.");
     }
@@ -442,9 +514,7 @@
         stExecSQLCond($sql, "OK, attendee updated.");
       }
       else
-      if ($type == "news" &&
-        stChkRequestItem("text") && stChkRequestItem("author") &&
-        stChkRequestItem("title"))
+      if ($type == "news" && stCheckRequestNewsData())
       {
         $sql = stPrepareSQLUpdate("news",
           "WHERE id=".intval(stGetRequestItem("id")),
@@ -457,10 +527,7 @@
         stExecSQLCond($sql, "OK, news item updated.");
       }
       else
-      if ($type == "compo" &&
-        stChkRequestItem("name") && stChkRequestItem("description") &&
-        stChkRequestItem("visible") && stChkRequestItem("voting") &&
-        stChkRequestItem("showAuthors"))
+      if ($type == "compo" && stCheckRequestCompoData(TRUE))
       {
         $sql = stPrepareSQLUpdate("compos",
           "WHERE id=".intval(stGetRequestItem("id")),
@@ -475,14 +542,11 @@
         stExecSQLCond($sql, "OK, compo updated.");
       }
       else
-      if ($type == "entry" &&
-        stChkRequestItem("name") && stChkRequestItem("author") &&
-        stChkRequestItem("compo_id"))
+      if ($type == "entry" && stCheckRequestEntryData($compo_id))
       {
-        $cid = stGetRequestItem("compo_id");
-        if (stFetchSQLColumn("SELECT id FROM compos WHERE id=".$cid) === FALSE)
+        if (stFetchSQLColumn("SELECT id FROM compos WHERE id=".$compo_id) === FALSE)
         {
-          stError("No such compo id.");
+          stError("No such compo ID.");
         }
         else
         {
@@ -492,6 +556,7 @@
               "name" => "S",
               "author" => "S",
               "filename" => "S",
+              "info" => "S",
               "compo_id" => "D",
             ));